axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nandana Mihindukulasooriya <nandana....@gmail.com>
Subject Re: AXIS2 - Security Policy Problem (Is this a bug?)
Date Tue, 07 Jul 2009 16:36:39 GMT
Hi Amitesh,
         Axis2/Rampart doesn't support policy alternatives, which is the
feature you are referring to. When multiple policy alternatives present, it
will only honor the first alternative. That is why your experiencing this
behavior. One work around would be to have multiple bindings with these
alternative policies and clients can choose which binding to talk to.

thanks,
Nandana

On Mon, Jul 6, 2009 at 9:53 PM, amiteshksingh <amiteshksingh@live.com>wrote:

>
> Is anyone done this before? It seems bug to me, however I am not sure
> becaue
> I am new to AXIS2.
>
>
>
> amiteshksingh wrote:
> >
> > Hi,
> >
> > I have one Service which contains two separate policy for two different
> > clients using the <sp:ExactlyOne> policy operator as given below
> > Service Policy:
> > <wsp:Policy wsu:Id="SgnOnlyAnonymous"
> >
> > xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> >               xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> >               xmlns:wsa="
> http://schemas.xmlsoap.org/ws/2004/08/addressing"
> >               xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >       <wsp:ExactlyOne>
> >               <wsp:All>
> >               <wsp:ExactlyOne>
> >               <sp:AsymmetricBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                               <wsp:Policy>
> >                                       <sp:InitiatorToken>
> >                                               <wsp:Policy>
> >                                                       <sp:X509Token
> > sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> >
> <wsp:Policy>
> >
> <sp:RequireThumbprintReference/>
> >
> <sp:WssX509V3Token10/>
> >
> </wsp:Policy>
> >                                                       </sp:X509Token>
> >                                               </wsp:Policy>
> >                                       </sp:InitiatorToken>
> >                                       <sp:RecipientToken>
> >                                               <wsp:Policy>
> >                                                       <sp:X509Token
> > sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> >
> <wsp:Policy>
> >
> <sp:RequireThumbprintReference/>
> >
> <sp:WssX509V3Token10/>
> >
> </wsp:Policy>
> >                                                       </sp:X509Token>
> >                                               </wsp:Policy>
> >                                       </sp:RecipientToken>
> >                                       <sp:AlgorithmSuite>
> >                                               <wsp:Policy>
> >
> <sp:TripleDesRsa15/>
> >                                               </wsp:Policy>
> >                                       </sp:AlgorithmSuite>
> >                                       <sp:Layout>
> >                                               <wsp:Policy>
> >                                                       <sp:Strict/>
> >                                               </wsp:Policy>
> >                                       </sp:Layout>
> >                                       <sp:IncludeTimestamp/>
> >                                       <sp:OnlySignEntireHeadersAndBody/>
> >                               </wsp:Policy>
> >                       </sp:AsymmetricBinding>
> >                       <sp:TransportBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                         <wsp:Policy>
> >                               <sp:TransportToken>
> >                                 <wsp:Policy>
> >                                       <!--  <sp:HttpsToken
> RequireClientCertificate="false"/> -->
> >                                 </wsp:Policy>
> >                               </sp:TransportToken>
> >                               <sp:AlgorithmSuite>
> >                                 <wsp:Policy>
> >                                       <sp:Basic256/>
> >                                 </wsp:Policy>
> >                               </sp:AlgorithmSuite>
> >                               <sp:Layout>
> >                                 <wsp:Policy>
> >                                       <sp:Lax/>
> >                                 </wsp:Policy>
> >                               </sp:Layout>
> >                               <sp:IncludeTimestamp/>
> >                         </wsp:Policy>
> >                       </sp:TransportBinding>
> >               </wsp:ExactlyOne>
> >               <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> >                               <ramp:user>service</ramp:user>
> >
> <ramp:encryptionUser>client</ramp:encryptionUser>
> >
> >
> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass>
> >
> >                               <ramp:signatureCrypto>
> >                                       <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> >                                               <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> >                                               <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>
> >                                               <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> >                                       </ramp:crypto>
> >                               </ramp:signatureCrypto>
> >               </ramp:RampartConfig>
> >               </wsp:All>
> >       </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > 1st client policy:
> >
> > <wsp:Policy wsu:Id="UTOverTransport"
> > xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >       <wsp:ExactlyOne>
> >         <wsp:All>
> >               <sp:TransportBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                 <wsp:Policy>
> >                       <sp:TransportToken>
> >                         <wsp:Policy>
> >                               <!--  <sp:HttpsToken
> RequireClientCertificate="false"/> -->
> >                         </wsp:Policy>
> >                       </sp:TransportToken>
> >                       <sp:AlgorithmSuite>
> >                         <wsp:Policy>
> >                               <sp:Basic256/>
> >                         </wsp:Policy>
> >                       </sp:AlgorithmSuite>
> >                       <sp:Layout>
> >                         <wsp:Policy>
> >                               <sp:Lax/>
> >                         </wsp:Policy>
> >                       </sp:Layout>
> >                       <sp:IncludeTimestamp/>
> >                 </wsp:Policy>
> >               </sp:TransportBinding>
> >               <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> >                       <ramp:user>client</ramp:user>
> >                       <ramp:encryptionUser>service</ramp:encryptionUser>
> >
> >
> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass>
> >                       <ramp:signatureCrypto>
> >                               <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> >                                       <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> >                                       <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> >                                       <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> >                               </ramp:crypto>
> >                       </ramp:signatureCrypto>
> >               </ramp:RampartConfig>
> >         </wsp:All>
> >       </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > 2nd Client policy:
> >
> > <wsp:Policy wsu:Id="SigOnly"
> > xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> >       <wsp:ExactlyOne>
> >               <wsp:All>
> >                       <sp:AsymmetricBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> >                               <wsp:Policy>
> >                                       <sp:InitiatorToken>
> >                                               <wsp:Policy>
> >                                                       <sp:X509Token
> > sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> >
> <wsp:Policy>
> >
> <sp:RequireThumbprintReference/>
> >
> <sp:WssX509V3Token10/>
> >
> </wsp:Policy>
> >                                                       </sp:X509Token>
> >                                               </wsp:Policy>
> >                                       </sp:InitiatorToken>
> >                                       <sp:RecipientToken>
> >                                               <wsp:Policy>
> >                                                       <sp:X509Token
> > sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> >
> <wsp:Policy>
> >
> <sp:RequireThumbprintReference/>
> >
> <sp:WssX509V3Token10/>
> >
> </wsp:Policy>
> >                                                       </sp:X509Token>
> >                                               </wsp:Policy>
> >                                       </sp:RecipientToken>
> >                                       <sp:AlgorithmSuite>
> >                                               <wsp:Policy>
> >
> <sp:TripleDesRsa15/>
> >                                               </wsp:Policy>
> >                                       </sp:AlgorithmSuite>
> >                                       <sp:Layout>
> >                                               <wsp:Policy>
> >                                                       <sp:Strict/>
> >                                               </wsp:Policy>
> >                                       </sp:Layout>
> >                                       <sp:IncludeTimestamp/>
> >                                       <sp:OnlySignEntireHeadersAndBody/>
> >                               </wsp:Policy>
> >                       </sp:AsymmetricBinding>
> >                       <ramp:RampartConfig xmlns:ramp="
> http://ws.apache.org/rampart/policy">
> >                               <ramp:user>client</ramp:user>
> >
> <ramp:encryptionUser>service</ramp:encryptionUser>
> >
> >
> <ramp:passwordCallbackClass>com.accenture.apsp.security.PWCBHandler</ramp:passwordCallbackClass>
> >
> >                               <ramp:signatureCrypto>
> >                                       <ramp:crypto
> > provider="org.apache.ws.security.components.crypto.Merlin">
> >                                               <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
> >                                               <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.file">client.jks</ramp:property>
> >                                               <ramp:property
> >
> name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
> >                                       </ramp:crypto>
> >                               </ramp:signatureCrypto>
> >                       </ramp:RampartConfig>
> >               </wsp:All>
> >       </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > When I am running the 2nd client its working fine, since second client's
> > policy matches the service's <ExactlyOne>'s first element, and if I am
> > running the 1'st client I am getting the error
> > "org.apache.axis2.AxisFault: Message is not signed"
> >
> > In service if I am switching the policy sequences, then the 1'st client
> > works fine and second client gives error.
> >
> > As per sepecification it should work for both client, Can anybody tell me
> > what I am doing wrong?
> >
> > Thanks in advance,
> > Amitesh
> >
>
> --
> View this message in context:
> http://www.nabble.com/AXIS2---Security-Policy-Problem-tp24314266p24358644.html
> Sent from the Axis - User mailing list archive at Nabble.com.
>
>

Mime
View raw message